瑞星卡卡安全论坛

我装了一个卡巴反黑客，在网络监控里看到一个主机名是：ns-pd.online.sh.cn,ip地址为：202.96.209.133老住外发东西，还是外面发来给我。我以为是一些软件搞的鬼，我就装了一个系统，谁知装好后，我只装了卡巴，还是看到那个地址在我这里，以前是没有这种情况的，不知是种了什么木马了。


下面我是用RootkitReveal扫的

C:\$AttrDef    2006-6-8 0:29    2.50 KB    Hidden from Windows API.
C:\$BadClus    2006-6-8 0:29    0 bytes    Hidden from Windows API.
C:\$BadClus:$Bad    2006-6-8 0:29    7.81 GB    Hidden from Windows API.
C:\$Bitmap    2006-6-8 0:29    250.04 KB    Hidden from Windows API.
C:\$Boot    2006-6-8 0:29    8.00 KB    Hidden from Windows API.
C:\$Extend    2006-6-8 0:29    0 bytes    Hidden from Windows API.
C:\$Extend\$ObjId    2006-6-7 17:04    0 bytes    Hidden from Windows API.
C:\$Extend\$Quota    2006-6-7 17:04    0 bytes    Hidden from Windows API.
C:\$Extend\$Reparse    2006-6-7 17:04    0 bytes    Hidden from Windows API.
C:\$LogFile    2006-6-8 0:29    42.02 MB    Hidden from Windows API.
C:\$MFT    2006-6-8 0:29    11.08 MB    Hidden from Windows API.
C:\$MFTMirr    2006-6-8 0:29    4.00 KB    Hidden from Windows API.
C:\$Secure    2006-6-8 0:29    0 bytes    Hidden from Windows API.
C:\$UpCase    2006-6-8 0:29    128.00 KB    Hidden from Windows API.
C:\$Volume    2006-6-8 0:29    0 bytes    Hidden from Windows API.
D:\$AttrDef    2006-3-14 9:07    2.50 KB    Hidden from Windows API.
D:\$BadClus    2006-3-14 9:07    0 bytes    Hidden from Windows API.
D:\$BadClus:$Bad    2006-3-14 9:07    9.77 GB    Hidden from Windows API.
D:\$Bitmap    2006-3-14 9:07    312.55 KB    Hidden from Windows API.
D:\$Boot    2006-3-14 9:07    8.00 KB    Hidden from Windows API.
D:\$Extend    2006-3-14 9:07    0 bytes    Hidden from Windows API.
D:\$Extend\$ObjId    2006-3-14 9:08    0 bytes    Hidden from Windows API.
D:\$Extend\$Quota    2006-3-14 9:08    0 bytes    Hidden from Windows API.
D:\$Extend\$Reparse    2006-3-14 9:08    0 bytes    Hidden from Windows API.
D:\$LogFile    2006-3-14 9:07    52.02 MB    Hidden from Windows API.
D:\$MFT    2006-3-14 9:07    12.15 MB    Hidden from Windows API.
D:\$MFTMirr    2006-3-14 9:07    4.00 KB    Hidden from Windows API.
D:\$Secure    2006-3-14 9:07    0 bytes    Hidden from Windows API.
D:\$UpCase    2006-3-14 9:07    128.00 KB    Hidden from Windows API.
D:\$Volume    2006-3-14 9:07    0 bytes    Hidden from Windows API.
E:\$AttrDef    2006-3-14 16:59    2.50 KB    Hidden from Windows API.
E:\$BadClus    2006-3-14 16:59    0 bytes    Hidden from Windows API.
E:\$BadClus:$Bad    2006-3-14 16:59    9.77 GB    Hidden from Windows API.
E:\$Bitmap    2006-3-14 16:59    312.55 KB    Hidden from Windows API.
E:\$Boot    2006-3-14 16:59    8.00 KB    Hidden from Windows API.
E:\$Extend    2006-3-14 16:59    0 bytes    Hidden from Windows API.
E:\$Extend\$ObjId    2006-3-14 17:00    0 bytes    Hidden from Windows API.
E:\$Extend\$Quota    2006-3-14 17:00    0 bytes    Hidden from Windows API.
E:\$Extend\$Reparse    2006-3-14 17:00    0 bytes    Hidden from Windows API.
E:\$LogFile    2006-3-14 16:59    52.02 MB    Hidden from Windows API.
E:\$MFT    2006-3-14 16:59    14.95 MB    Hidden from Windows API.
E:\$MFTMirr    2006-3-14 16:59    4.00 KB    Hidden from Windows API.
E:\$Secure    2006-3-14 16:59    0 bytes    Hidden from Windows API.
E:\$UpCase    2006-3-14 16:59    128.00 KB    Hidden from Windows API.
E:\$Volume    2006-3-14 16:59    0 bytes    Hidden from Windows API.
E:\    2006-7-10 17:07    5.69 KB    Hidden from Windows API.
E:\    2006-7-10 17:07    68 bytes    Hidden from Windows API.
E:\    2006-7-10 17:07    0 bytes    Hidden from Windows API.
F:\$AttrDef    2006-3-14 17:11    2.50 KB    Hidden from Windows API.
F:\$BadClus    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$BadClus:$Bad    2006-3-14 17:11    10.98 GB    Hidden from Windows API.
F:\$Bitmap    2006-3-14 17:11    351.52 KB    Hidden from Windows API.
F:\$Boot    2006-3-14 17:11    8.00 KB    Hidden from Windows API.
F:\$Extend    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$Extend\$ObjId    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$Extend\$Quota    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$Extend\$Reparse    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$LogFile    2006-3-14 17:11    58.25 MB    Hidden from Windows API.
F:\$MFT    2006-3-14 17:11    7.79 MB    Hidden from Windows API.
F:\$MFTMirr    2006-3-14 17:11    4.00 KB    Hidden from Windows API.
F:\$Secure    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\$UpCase    2006-3-14 17:11    128.00 KB    Hidden from Windows API.
F:\$Volume    2006-3-14 17:11    0 bytes    Hidden from Windows API.
F:\g.\boot.ini    2006-6-12 14:30    279 bytes    Hidden from Windows API.
F:\g.\bzbq.exe    2006-6-9 21:23    62 bytes    Hidden from Windows API.
F:\g.\SYS.DAT    2006-6-12 14:30    2.00 KB    Hidden from Windows API.
F:\g.\WIN.GHO    2006-6-12 14:30    649.98 MB    Hidden from Windows API.
F:\g.\WIN00001.GHS    2006-6-12 14:30    431.85 MB    Hidden from Windows API.


C:\Documents and Settings\Administrator\Local Settings\Temp\9AA52C.dmp    2006-9-18 12:30    61.67 KB    Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YJMJ6ZCV\cursor[1].htm    2006-9-18 12:29    912 bytes    Visible in Windows API, directory index, but not in MFT.
E:\    2006-7-10 17:07    5.69 KB    Hidden from Windows API.
E:\    2006-7-10 17:07    68 bytes    Hidden from Windows API.
E:\    2006-7-10 17:07    0 bytes    Hidden from Windows API.
F:\g.\boot.ini    2006-6-12 14:30    279 bytes    Hidden from Windows API.
F:\g.\bzbq.exe    2006-6-9 21:23    62 bytes    Hidden from Windows API.
F:\g.\SYS.DAT    2006-6-12 14:30    2.00 KB    Hidden from Windows API.
F:\g.\WIN.GHO    2006-6-12 14:30    649.98 MB    Hidden from Windows API.
F:\g.\WIN00001.GHS    2006-6-12 14:30    431.85 MB    Hidden from Windows API.